You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,7 +26,7 @@ Entity risk scores are determined by the following risk inputs:
26
26
|==============================================
27
27
28
28
29
-
The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
29
+
The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias, and the latest score for each entity is stored in `risk-score.risk-score-latest-<space-id>`.
30
30
31
31
NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
32
32
@@ -40,7 +40,7 @@ NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose t
40
40
41
41
. The engine groups alerts by `host.name`, `user.name`, or `service.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<entity-risk-summary, risk summary>>.
42
42
43
-
. The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
43
+
. The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine calculates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
44
44
+
45
45
[width="100%",options="header"]
46
46
|==============================================
@@ -69,6 +69,8 @@ NOTE: Asset criticality levels and default risk weights are subject to change.
69
69
70
70
|==============================================
71
71
72
+
The risk score is updated every hour based on the configured date and time range, which defaults to 30 days. Each update generates a new score, calculated independently of any previous scores.
73
+
72
74
.Click for a risk score calculation example
73
75
[%collapsible]
74
76
====
@@ -93,7 +95,8 @@ To calculate the user risk score, the risk scoring engine:
93
95
. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
94
96
. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
95
97
. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
96
-
. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
98
+
. Adds the asset criticality risk contribution score (16.95) to the aggregated risk score (36.16), and generates a user risk score of 53.11.
99
+
. Assigns `User_A` a **Moderate** user risk level.
97
100
98
101
If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
0 commit comments